Search This Blog

"Nitro attacks" Malware(RAT) Steals Secrets from Chemical and Defense firms


Nitro Attacks targets Chemical and Defense Industries, 48 firms infected by malware(RAT) to steal Confidential data, Recent report from Symantec.
Symantec research about the recent cyber attacks and released a report with the name " Nitro Attacks".  The report says" the attack started in July 2011 and continued to September 2011".

The attackers change their targets after certain time.  At first(from april to May 2011) , they target on Human rights related NGOs. Then, they changed their target to motor industry in May. There is no attack in june.


According to the report, "29 Chemical Industries and another 19 other industries(Most of them defense sector) infected. In a recent two week period, 101 unique IP addresses contacted a command and control server with traffic consistent with an infected machine. These IPs represented 52 different unique Internet Service Providers or organizations in 20 countries".

The Malware Attack(Remote Administration Tool):
The Attackers send a fake email with attachment of malware created with Poison ivy(Remote Administration Tool(RAT),A Backdoor developed by Chinese Hacker).
Once the victim open the attachment, it will infect the system and install the Poison ivy Server(malware). After the infection, it contacted a C&C server on TCP port 80 using an encrypted communication protocol. Using the C&C server, the attackers then instructed the compromised computer to provide the infected computer’s IP address, the names of all other computers in the workgroup or domain, and dumps of Windows cached password hashes

Infected Machines:

The infected systems were located in 20 different countries, the majority of infected system were located in USA, Bangladesh, and the UK.

Attacker:
The attacks were traced back to a computer system that was a virtual private server (VPS) located in the United States. However, the system was owned by a 20-something male located in the Hebei region in China. Symantec internally have given him the pseudonym of Covert Grove based on a literal translation of his name

"We are unable to determine if Covert Grove is the sole attacker or if he has a direct or only indirect role. Nor are we able to definitively determine if he is hacking these targets on behalf of another party or multiple parties." the official report says.

Share it:

Malware Report